Skip to main content
We pay security researchers who find real bugs. Our promise is simple: you bring us a real finding, we pay you a real bounty, and we never threaten you with legal action for doing your job.

In scope

  • All Prediction Arena smart contracts on Polygon (asset prediction, factory, tournaments, referral)
  • Our public web application
  • Our public APIs
  • Any endpoint that handles signed messages, oracle data, or user authentication

Out of scope

  • Third-party services we depend on (oracle networks, RPC providers, hosting providers — please report those to the upstream vendor)
  • Social engineering of Prediction Arena employees
  • Denial-of-service attacks against our public infrastructure (please don’t)
  • Issues already reported by another researcher or already fixed

Reward tiers (indicative)

SeverityDescriptionReward
CriticalDirect theft of user funds, oracle bypass, settlement forgeryUp to $250,000
HighPermanent freezing of user funds, round resolution manipulationUp to $50,000
MediumTemporary DoS of round settlement, info leak of in-window picksUp to $10,000
LowHardening recommendations, minor info disclosureUp to $1,500
Final reward amounts are determined based on severity, exploitability, and quality of report.

How to report

Email dev@predictionarenas.app with:
  1. A clear description of the vulnerability
  2. Steps to reproduce
  3. Impact assessment
  4. Any proof-of-concept code (optional but appreciated)
Please do not publicly disclose the vulnerability until we have confirmed a fix. We commit to acknowledging your report within 24 hours and providing a substantive response within 5 business days.

Safe harbor

Good-faith security research conducted under this program will not result in legal action from Prediction Arena. Specifically, we will not pursue civil action or notify law enforcement for accidental, good-faith violations of this policy. We consider activities consistent with this policy to be authorized testing.